Bug 1341079 - Installation in container fails because of /var/lock/opencryptoki
Summary: Installation in container fails because of /var/lock/opencryptoki
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: opencryptoki
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1341088
TreeView+ depends on / blocked
 
Reported: 2016-05-31 08:41 UTC by Jan Pazdziora
Modified: 2017-12-12 10:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1341088 (view as bug list)
Environment:
Last Closed: 2017-12-12 10:42:12 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora 2016-05-31 08:41:11 UTC
Description of problem:

Installing opencryptoki into container image fails because the rpm contains /var/lock/opencryptoki but Fedora base image does not contain /run/lock.

Version-Release number of selected component (if applicable):

opencryptoki-3.4.1-1.fc23.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run --rm -ti fedora:23 dnf install -y opencryptoki

Actual results:

$ docker run --rm -ti fedora:23 dnf install -y opencryptoki
Fedora 23 - x86_64 - Updates                     51 MB/s |  22 MB     00:00    
Fedora 23 - x86_64                               58 MB/s |  43 MB     00:00    
Last metadata expiration check performed 0:00:26 ago on Tue May 31 08:32:12 2016.
Dependencies resolved.
================================================================================
 Package                    Arch         Version            Repository     Size
================================================================================
Installing:
 opencryptoki               x86_64       3.4.1-1.fc23       updates       101 k
 opencryptoki-icsftok       x86_64       3.4.1-1.fc23       updates       228 k
 opencryptoki-libs          x86_64       3.4.1-1.fc23       updates        45 k

Transaction Summary
================================================================================
Install  3 Packages

Total download size: 373 k
Installed size: 1.0 M
Downloading Packages:
(1/3): opencryptoki-3.4.1-1.fc23.x86_64.rpm     693 kB/s | 101 kB     00:00    
(2/3): opencryptoki-libs-3.4.1-1.fc23.x86_64.rp 202 kB/s |  45 kB     00:00    
(3/3): opencryptoki-icsftok-3.4.1-1.fc23.x86_64 1.0 MB/s | 228 kB     00:00    
--------------------------------------------------------------------------------
Total                                           276 kB/s | 373 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : opencryptoki-libs-3.4.1-1.fc23.x86_64                       1/3 
  Installing  : opencryptoki-icsftok-3.4.1-1.fc23.x86_64                    2/3 
  Installing  : opencryptoki-3.4.1-1.fc23.x86_64                            3/3 
Error unpacking rpm package opencryptoki-3.4.1-1.fc23.x86_64
Error unpacking rpm package opencryptoki-3.4.1-1.fc23.x86_64
error: unpacking of archive failed on file /var/lock/opencryptoki: cpio: mkdir
opencryptoki-3.4.1-1.fc23.x86_64 was supposed to be installed but is not!
  Verifying   : opencryptoki-3.4.1-1.fc23.x86_64                            1/3 
  Verifying   : opencryptoki-libs-3.4.1-1.fc23.x86_64                       2/3 
  Verifying   : opencryptoki-icsftok-3.4.1-1.fc23.x86_64                    3/3 

Installed:
  opencryptoki-icsftok.x86_64 3.4.1-1.fc23                                      
  opencryptoki-libs.x86_64 3.4.1-1.fc23                                         

Failed:
  opencryptoki.x86_64 3.4.1-1.fc23                                              

Complete!

Expected results:

No error.

Additional info:

The /var/lock is symlink to /run/lock:

$ docker run --rm -ti fedora:23 ls -la /var/run /run/lock
ls: cannot access /run/lock: No such file or directory
lrwxrwxrwx. 1 root root 6 Mar  4 05:17 /var/run -> ../run

The /run gets mounted as tmpfs so opencryptoki should be putting in anything there anyway. If it needs the directory in runtime, it likely should use tmpfiles.

There is the same problem with centos:centos7 and opencryptoki-3.2-5.el7_2.x86_64.

On RHEL, the /run has /run/lock in the image but I believe the fix should go to RHEL as well.

Comment 2 Jakub Jelen 2016-05-31 09:22:30 UTC
We are using tmpfiles already, but for some reason only for the subdirectories of /run/lock/opencryptoki (also the subdirs are part of the RPM, which should not be). Fix will look somehow like below, but give me some time to test before issuing updates:

diff --git a/opencryptoki.spec b/opencryptoki.spec
index 77e70e6..d7048ab 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -195,6 +195,7 @@ token_subdirs="$token_subdirs lite ccatok ep11tok"
 %endif
 
 cp -p %{SOURCE1} %{name}-tmpfiles.conf
+echo "D /var/lock/opencryptoki/ 0770 root pkcs11 -" >> %{name}-tmpfiles.conf
 for d in $token_subdirs
 do
     echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf
@@ -277,8 +278,6 @@ exit 0
 %{_libdir}/opencryptoki/methods
 %{_libdir}/pkcs11/methods
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/*
 
 %files libs
 %license LICENSE

Comment 3 Dan Horák 2016-05-31 09:43:32 UTC
I think there were some issues with the tmpfiles based /var/lock but can't recall the details now. Something with installing into a chroot and a workaround in mock ...

Comment 4 Jan Pazdziora 2016-05-31 10:42:36 UTC
I assume you have bug 1084052 in mind.

Comment 6 Jakub Jelen 2016-05-31 10:51:15 UTC
The first insight was too early before lunch so ignore the patch in the comment #2. We already have /var/lock/opencryptoki/ in tmpfiles and creating of the directories is advised. Problem is missing /var/lock (and /run/lock, which would be an alternative).

Comment 7 Jakub Jelen 2016-06-02 13:43:41 UTC
We didn't get any update on ML so few more notes from my investigation and filling gaps of my prior knowledge (maybe worth pasting also to the fedora-devel too?):

Fedora corresponds to Standard FSH [1]. It does not specify how should /run look like. The content that is opencryptoki trying to store fits well into /var/lock.

On the other hand, the exceptions in packaging guidelines speaks about /run, which also looks like a place to fit these files these days.

"Systemd"/freedesktop file-hierarchy does not specify the */lock directories in any special way [2], instead it recommends path /run/package for this usage, which is probably way to go.

So I guess valid solution would be to move from /run/lock/opencryptoki to /run/opencryptoki (but not in RHEL7).

Opencryptoki configure does not accept modification of this directory, so it needs to be patched (I will propose some configure option upstream, if this is the way we want to go). I built scratch build [3] for rawhide before pushing this to the wild, so you can check if it does what it is supposed to do.

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#Filesystem_Layout
[2] https://www.freedesktop.org/software/systemd/man/file-hierarchy.html
[3] http://koji.fedoraproject.org/koji/taskinfo?taskID=14353034

Comment 8 Pasi Karkkainen 2016-06-17 20:13:04 UTC
I'm seeing the same problem with package "iptraf-ng" on CentOS 7.2, when running in Docker container:


  Installing : iptraf-ng-1.1.4-4.el7.x86_64       51/59 
Error unpacking rpm package iptraf-ng-1.1.4-4.el7.x86_64

error: unpacking of archive failed on file /var/lock/iptraf-ng: cpio: mkdir

Comment 9 Pasi Karkkainen 2016-06-17 20:28:44 UTC
Centos:7 docker base image bug/issue:

"/var/lock is a symlink to a non-existant directory":
https://github.com/CentOS/sig-cloud-instance-images/issues/46

Comment 10 Jan Pazdziora 2016-08-22 09:47:57 UTC
It looks like bug 1343138 brought /var/lock to current fedora:24 image (11a5107645d4).

Comment 11 Fedora End Of Life 2016-11-25 09:10:02 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 12 Jan Pazdziora 2016-11-25 13:55:11 UTC
Due to bug 1343138 comment 11, things work on fedora:24 but fail again on fedora:25 and fedora:rawhide.

Comment 13 Adam Williamson 2017-05-26 21:32:25 UTC
Note, same issue affects installing to a mock chroot:

<mock-chroot> sh-4.4# dnf install opencryptoki
Last metadata expiration check: 0:00:00 ago on Fri May 26 14:31:36 2017 PDT.
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                     Arch                                                  Version                                                        Repository                                             Size
==============================================================================================================================================================================================================================================
Installing dependencies:
 opencryptoki                                                x86_64                                                3.7.0-1.fc27                                                   fedora                                                101 k

Transaction Summary
==============================================================================================================================================================================================================================================
Install  1 Package

Total size: 101 k
Installed size: 264 k
Downloading Packages:
[SKIPPED] opencryptoki-3.7.0-1.fc27.x86_64.rpm: Already downloaded                                                                                                                                                                           
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                      1/1 
  Installing       : opencryptoki-3.7.0-1.fc27.x86_64                                                                                                                                                                                     1/1 
Error unpacking rpm package opencryptoki-3.7.0-1.fc27.x86_64
Error unpacking rpm package opencryptoki-3.7.0-1.fc27.x86_64
error: unpacking of archive failed on file /var/lock/opencryptoki: cpio: mkdir
opencryptoki-3.7.0-1.fc27.x86_64 was supposed to be installed but is not!
  Verifying        : opencryptoki-3.7.0-1.fc27.x86_64                                                                                                                                                                                     1/1 

Failed:
  opencryptoki.x86_64 3.7.0-1.fc27                                                                                                                                                                                                            

Error: Transaction failed

Comment 14 Fedora End Of Life 2017-11-16 19:16:28 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 15 Jan Pazdziora 2017-11-29 15:05:12 UTC
While things still fail on fedora:25, they work on fedora:26 and higher:

# docker run --rm -ti fedora:25 dnf install -y opencryptoki
[...]
  Installing  : opencryptoki-3.6.2-1.fc25.x86_64               3/3 
Error unpacking rpm package opencryptoki-3.6.2-1.fc25.x86_64
Error unpacking rpm package opencryptoki-3.6.2-1.fc25.x86_64
error: unpacking of archive failed on file /var/lock/opencryptoki: cpio: mkdir
opencryptoki-3.6.2-1.fc25.x86_64 was supposed to be installed but is not!
  Verifying   : opencryptoki-3.6.2-1.fc25.x86_64               1/3 

# docker run --rm -ti fedora:26 dnf install -y opencryptoki
[...]
  Running scriptlet: opencryptoki-icsftok-3.6.2-1.fc26.x86_64  2/3 
  Installing       : opencryptoki-3.6.2-1.fc26.x86_64          3/3 
  Running scriptlet: opencryptoki-3.6.2-1.fc26.x86_64          3/3 
Failed to connect to bus: No such file or directory
  Verifying        : opencryptoki-3.6.2-1.fc26.x86_64          1/3 

primarily because of the /run/lock fix per bug 1343138 comment 16.

What is the best resolution of this bugzilla (so that it does not fall into EOL)?

Comment 16 Jakub Jelen 2017-11-29 15:45:15 UTC
I am no longer opencryptoki main contact, but I noticed that Dan Horak was building latest packages in Fedora 28, which brought some improvement for this issue directly from IBM upstream. It is now shipping the new tmpfiles with the following content so it should work regardless the referenced fix (I did not test that):

# path          mode    uid     gid     age
D /var/lock/opencryptoki     0770    root    pkcs11  -
D /var/lock/opencryptoki/swtok 0770 root pkcs11 -
D /var/lock/opencryptoki/tpm 0770 root pkcs11 -
D /var/lock/opencryptoki/icsf 0770 root pkcs11 -

So I believe CLOSED CURRENTRELEASE/NEXTRELEASE is appropriate, if you agree.

Comment 17 Fedora End Of Life 2017-12-12 10:42:12 UTC
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.